[openssl-dev] OpenSSL and certain PEM formats
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Dec 19 15:05:32 UTC 2014
On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
> Does OpenSSL have documented someplace exactly what it means to have a
> "TRUSTED CERTIFICATE"?
It is a certificate + auxiliary data which specifies a friendly name
plus a set of EKUs.
> For example, say we're talking about a certificate that i am willing to
> accept for the peer foo.example. If i mark it TRUSTED and it has
> another SubjectAltName of bar.example, will OpenSSL subsequently accept
> it for bar.example as well?
http://marc.info/?l=openssl-dev&m=115218769327835&w=2
There is no explicit association with a particular peer, it is up
to the application to add corresponding "trusted certificates" to
the store when validating particular peers for which such certificates
have been configured. If such a certificate is added to the default
store, then it will apply to all cases with a matching EKU.
--
Viktor.
More information about the openssl-dev
mailing list